3 About NESEC Founded 2002 as a system integrator specialized on IT security in Freising (near Munich/Germany) Strong focus on security in production environments Close cooperation with ABB Automation Products, development of security concepts and solutions for ABB customers Security analysis and penetration tests, even in life production, to identify possible threats and rate risks Working solutions to secure production plants and SCADA systems without interruption in production Customers include Munich Airport, Krupp-Mannesmann steel production, Volkswagen, Altana Pharma, and more NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 3 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

5 What is SCADA and control systems? The power in your home The water in your home Where the wastewater goes The cereals and milk for breakfast Traffic lights on the way to the office The commuter train control system The phone system to your office The air conditioning in your office building The convenience food in the canteen much, much more NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 5 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

7 Well-known Incidents Aaron Caffrey, 19, brought down the Port of Houston October, This is thought to be the first well-documented attack on critical US infrastructure. In August 2003, computer systems of CSX Transportation got infected by a computer virus, halting passenger and freight train traffic in Washington, DC. In 2003, the east coast of America experienced a blackout, while not the cause, many of the related systems were infected by the Blaster worm. Computers and manuals seized 2003 in Al Qaeda training camps were full of SCADA information related to dams and related structures Ohio Davis-Besse nuclear power plant safety monitoring system was offline for 5 hours due to Slammer worm in January , hackers penetrated a California Independent System Operator which oversees most of the state's electricity transmission grid, attacks were routed through CA, OK, and China. NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 7 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

8 Well-known Incidents In 2000, former employee Vitek Boden release a million liters of water into the coastal waters of Queensland, Australia A Brisbane hacker used radio transmissions in 2000 to create raw sewage overflows on Sunshine coast In 2000, the Russian government announced that hackers succeeded in gaining control of the world s largest natural gas pipeline network (owned by Gazprom) In 1997, a teenager breaks into NYNEX and cuts off Worcester Airport in Massachusetts for 6 hours, affecting both air and ground communications. In 1992, a former Chevron employee disabled it s emergency alert system in 22 states, which wasn t discovered until an emergency happened that needed alerting. NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 8 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

12 Problems with SCADA SCADA = no authentication What is the identity of an automated system? OPC on Windows requires anonymous login rights for DCOM How can policies such as change your password monthly be applied to automated systems running unattended for years? How do you manage rights for each person? SCADA = no patching Systems never needed patches in the past install a system, replace it in 10 years large window of vulnerability NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 12 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

13 Problems with SCADA SCADA = not connected to the Internet often believed: not interconnected at all found in reality: numerous uncontrolled connections even unconnected networks get connected via dial-in or notebooks from support personnel SCADA = insecure design and implementation simple passwords used by many people and never changed anonymous FTP, Telnet without password access limitations in control software are often not used NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 13 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

17 Real World Example Claim: We are secure because the oil production network is completely separate from the rest of the corporate network Flaw #1: network diagrams don t match reality It s the desired configuration not the actual configuration Flaw #2: diagram obviously doesn t match reality Dial-in for remote support is in the office network not the production network, how can they connect? Flaw #3: notebooks Notebooks are often used by support personnel to trace problems. Are the secured? Flaw #3: insecure production network No patches, no segmentation, if one systems gets compromised, it can bring down everything NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 17 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

25 Tools used in the Live Hack 29/11 Some tools only work well with a Unix operating system, e.g. Nmap and Nessus For the live hacking today we use the following tools: SuperScan4 from Foundstone (a division of McAfee, Inc.) (free download: Metasploit Exploit Framework (see: SecurityFocus Vulnerability Database (a division of Symantec Corp.) (see: The complete vulnerability scan with Nessus will be skipped due to time restraints NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 25 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

26 What s in the future Microsoft currently does a good job securing their systems There already is a trend to attack different parts in the operating system backup software and anti-virus because agents are installed on all systems completely new environments production plants It is only a matter of time before automation systems will be attacked A good indicator are the SANS Top 20 Internet Security Vulnerabilities see: NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 26 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

27 What s in the future 2006 was the year of application break-ins widespread automated exploits for office applications but also backup software, anti-virus and personal firewalls new and automated attacks against web applications 2007 will be the year of network components exploits for router, switches and all the networking gear Critical infrastructure like DNS will be targeted again 2008 will be the year of embedded and automation systems many issues are fixed, new targets are required these systems are finally connected to the networks NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 27 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

31 Shift in awareness necessary Control systems have become very similar to office environments They need to be treated similar Control systems are interconnected to corporate networks or even the internet They need the same (or even better) protection Shift in security awareness: IT security should be part of the initial design process not an add-on later IT security should be part of the standard maintenance procedures not only after an incident Every employee is responsible for IT security NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 31 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

32 Awareness is Rising Finally ISS gave a presentation on SCADA Security at the Black Hat Federal Conference in January 2006 They found lot s of problems in widely used software OPC has many buffer overflows OPC over DCOM is often very insecure and while analyzing SCADA systems SCADA systems usually have no authentication SCADA systems are usually not patched You can go to the store and buy a book on pen-testing that will give you all the knowledge you need to cause a widespread power blackout! NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 32 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

34 Lessons learned IT security is becoming very important Control networks are no longer isolated networks Automation systems are no longer specialized platforms They are new targets They are interesting targets Hacking Tools are easy to use Everybody can attack and break into systems The tools are readily available If you are not protected, you will be hacked There is neither cause to panic nor cause to ignore the issue NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 34 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

36 What NESEC can do Expertise in penetration testing of process control networks Working and applicable concepts and solutions to secure production IT environments and PCNs Review of existing security concepts Development of Best Practices for PCNs What can we do for you??? NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 36 Hacking SCADA Petroleum Safety Authority V1.2 November 2006

HACKING RELOADED Hacken IS simple! Christian H. Gresser cgresser@nesec.de Agenda About NESEC IT-Security and control Systems Hacking is easy A short example where we currently are Possible solutions IT-security

Why patch? If you have already deployed a network architecture, such as the one recommended by Rockwell Automation and Cisco in the Converged Plantwide Ethernet Design and Implementation Guide (http://www.ab.com/networks/architectures.html),

SCADA Security and Terrorism: We re not crying wolf. RG & DM Agenda Introduction to the problem Rumors and claims that have achieved press Our own experiences over the last 5 years New data to add to the

1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and

Feature Samir Malaviya, CISA, CGEIT, CSSA, works with the Global Consulting Practice-GRC practice of Tata Consultancy Services and has more than 17 years of experience in telecommunications, IT, and operation

January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs EXECUTIVE SUMMARY Supervisory Control and Data Acquisition (SCADA) systems are used for remote

86-10-15 The Self-Hack Audit Stephen James Payoff As organizations continue to link their internal networks to the Internet, system managers and administrators are becoming increasingly aware of the need

A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

Using the Nessus Vulnerability Scanner on Control Systems By Dale Peterson All too often we hear stories about the IT Department or some consultant running a vulnerability scan that takes down a key control

SCADA Fear, Uncertainty, and the Digital Armageddon Presented By Morgan Marquis Boire Whois Hi, My Name is Morgan Whois Hi, My Name is Morgan I m a security guy Whois Hi, My Name is Morgan I m a security

Volume 4, Issue 2, February 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com An Emerging

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM Course Description This is the Information Security Training program. The Training provides you Penetration Testing in the various field of cyber world.

Symphony Plus Cyber security for the power and water industries Symphony Plus Cyber Security_3BUS095402_(Oct12)US Letter.indd 1 01/10/12 10:15 Symphony Plus Cyber security for the power and water industries

MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file

State of the State of Control System Cyber Security Joe Weiss, PE, CISM IEEE PES San Francisco Section October 15, 2007 What Are the Goals Maintain reliability and availability Minimize intentional and

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus Note to Faculty This NCL Syllabus is intended as a supplement to courses that are based on the EC- Council Certified Ethical Hacker TM (CEHv8)

Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution

SCADA SYSTEMS AND SECURITY WHITEPAPER Abstract: This paper discusses some of the options available to companies concerned with the threat of cyber attack on their critical infrastructure, who as part of

White Paper April 2006 Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks According to a recent Harris Interactive survey, the country s leading business executives consider

Beyond the Noise: More Complex Issues with Incident Response IFIP WG Meeting, June 30, 2006 David Dittrich Center for Information Assurance and Cybersecurity/ The Information School University of Washington

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph 0925910 I MCA OVERVIEW Introduction Overview The IDS Puzzle Current State of IDS Threats I have a good firewall, why do I need an IDS? Expectations

THE BUSINESS ASE FOR YBER SEURITY What s this about in a nutshell? The importance of cyber security for manufacturing and computer control systems has only recently been recognized and therefore has not

Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

DETAILED RISK ASSESSMENT REPORT Executive Summary During the period June 1, 2004 to June 16, 2004 a detailed information security risk assessment was performed on the Department of Motor Vehicle s Motor

CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational

Risk Assessment and Cloud Strategy Development: Getting it Right this Time! Barbara Endicott-Popovsky, PhD University of Washington Center of Information Assurance and Cybersecurity Kirsten Ferguson-Boucher

Tim West Consulting 6807 Wicklow St. Arlington, TX 76002 817-228-3420 Twest@timwestconsulting.com OVERVIEW Tim West Consulting Tim West Consulting is a full service IT security and support firm that specializes

INEEL/EXT-04-02462 Revision 0 Control Systems Security and Test Center A Comparison of Oil and Gas Segment Cyber Security Standards Prepared by the Idaho National Engineering and Environmental Laboratory

Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

WHITE PAPER SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) INTRODUCTION This document covers the recommended best practices for hardening a Cisco Personal Assistant 1.4(x) server. The term

E-commerce Production Firewalls A Proper Security Design 2006 Philip J. Balsley. This document and all information contained herein is the sole and exclusive property of Philip J. Balsley. All rights reserved.